forked from osmocom/wireshark
Add duplicate frame detection (and removal) to editcap. (Some switches
generate duplicate packets when a mirror/SPAN port is misconfigured). svn path=/trunk/; revision=18800
This commit is contained in:
parent
52e9a9c012
commit
9045703e2c
|
@ -201,7 +201,8 @@ mergecap_SOURCES = \
|
||||||
|
|
||||||
# editcap specifics
|
# editcap specifics
|
||||||
editcap_SOURCES = \
|
editcap_SOURCES = \
|
||||||
editcap.c
|
editcap.c \
|
||||||
|
epan/crypt-md5.c
|
||||||
|
|
||||||
# dftest specifics
|
# dftest specifics
|
||||||
dftest_SOURCES = \
|
dftest_SOURCES = \
|
||||||
|
|
|
@ -8,6 +8,7 @@ editcap - Edit and/or translate the format of capture files
|
||||||
B<editcap>
|
B<editcap>
|
||||||
S<[ B<-c> E<lt>packets per fileE<gt> ]>
|
S<[ B<-c> E<lt>packets per fileE<gt> ]>
|
||||||
S<[ B<-C> E<lt>choplenE<gt> ]>
|
S<[ B<-C> E<lt>choplenE<gt> ]>
|
||||||
|
S<[ B<-d> ]>
|
||||||
S<[ B<-E> E<lt>error probabilityE<gt> ]>
|
S<[ B<-E> E<lt>error probabilityE<gt> ]>
|
||||||
S<[ B<-F> E<lt>file formatE<gt> ]>
|
S<[ B<-F> E<lt>file formatE<gt> ]>
|
||||||
S<[ B<-A> E<lt>start timeE<gt> ]>
|
S<[ B<-A> E<lt>start timeE<gt> ]>
|
||||||
|
@ -71,6 +72,12 @@ Each packet is chopped at the packet end by a few <choplen> bytes of data.
|
||||||
This is useful in the rare case that the conversion between two file
|
This is useful in the rare case that the conversion between two file
|
||||||
formats leaves some random bytes at the end of each packet.
|
formats leaves some random bytes at the end of each packet.
|
||||||
|
|
||||||
|
=item -d
|
||||||
|
|
||||||
|
Attempts to remove duplicate packets. The length and MD5 sum of the
|
||||||
|
current packet are compared to the previous four packets. If a match
|
||||||
|
is found, the packet is skipped.
|
||||||
|
|
||||||
=item -E E<lt>error probabilityE<gt>
|
=item -E E<lt>error probabilityE<gt>
|
||||||
|
|
||||||
Sets the probabilty that bytes in the output file are randomly changed.
|
Sets the probabilty that bytes in the output file are randomly changed.
|
||||||
|
|
|
@ -4,42 +4,42 @@
|
||||||
|
|
||||||
<appendix id="AppTools">
|
<appendix id="AppTools">
|
||||||
<title>Related command line tools</title>
|
<title>Related command line tools</title>
|
||||||
|
|
||||||
<section id="AppToolsIntroduction">
|
<section id="AppToolsIntroduction">
|
||||||
<title>Introduction</title>
|
<title>Introduction</title>
|
||||||
<para>
|
<para>
|
||||||
Beside the Wireshark GUI application, there are some command line tools,
|
Beside the Wireshark GUI application, there are some command line tools,
|
||||||
which can be helpful for doing some more specialized things. These tools
|
which can be helpful for doing some more specialized things. These tools
|
||||||
will be described in this chapter.
|
will be described in this chapter.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="AppToolstshark">
|
<section id="AppToolstshark">
|
||||||
<title><command>tshark</command>: Terminal-based Wireshark</title>
|
<title><command>tshark</command>: Terminal-based Wireshark</title>
|
||||||
<para>
|
<para>
|
||||||
<application>TShark</application> is a terminal oriented version
|
<application>TShark</application> is a terminal oriented version
|
||||||
of Wireshark designed for capturing and displaying packets when an
|
of Wireshark designed for capturing and displaying packets when an
|
||||||
interactive user interface isn't necessary or available. It supports
|
interactive user interface isn't necessary or available. It supports
|
||||||
the same options as <command>wireshark</command>. For more
|
the same options as <command>wireshark</command>. For more
|
||||||
information on <command>tshark</command>, see the manual pages
|
information on <command>tshark</command>, see the manual pages
|
||||||
(<command>man tshark</command>).
|
(<command>man tshark</command>).
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="AppToolstcpdump">
|
<section id="AppToolstcpdump">
|
||||||
<title><command>tcpdump</command>: Capturing with tcpdump for viewing
|
<title><command>tcpdump</command>: Capturing with tcpdump for viewing
|
||||||
with Wireshark</title>
|
with Wireshark</title>
|
||||||
<para>
|
<para>
|
||||||
There are occasions when you want to capture packets using
|
There are occasions when you want to capture packets using
|
||||||
<command>tcpdump</command> rather than <command>wireshark</command>,
|
<command>tcpdump</command> rather than <command>wireshark</command>,
|
||||||
especially when you want to do a remote capture and do not want the
|
especially when you want to do a remote capture and do not want the
|
||||||
network load associated with running Wireshark remotely (not to
|
network load associated with running Wireshark remotely (not to
|
||||||
mention all the X traffic polluting your capture).
|
mention all the X traffic polluting your capture).
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
However, the default <command>tcpdump</command> parameters result in a
|
However, the default <command>tcpdump</command> parameters result in a
|
||||||
capture file where each packet is truncated, because
|
capture file where each packet is truncated, because
|
||||||
<command>tcpdump</command>, by default, does only capture the first 68
|
<command>tcpdump</command>, by default, does only capture the first 68
|
||||||
bytes of each packet.
|
bytes of each packet.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
@ -47,43 +47,43 @@
|
||||||
<programlisting>
|
<programlisting>
|
||||||
tcpdump -i <interface> -s 1500 -w <some-file>
|
tcpdump -i <interface> -s 1500 -w <some-file>
|
||||||
</programlisting>
|
</programlisting>
|
||||||
You will have to specify the correct <command>interface</command> and
|
You will have to specify the correct <command>interface</command> and
|
||||||
the name of a <command>file</command> to save into. In addition,
|
the name of a <command>file</command> to save into. In addition,
|
||||||
you will have to terminate the capture with ^C when you believe you
|
you will have to terminate the capture with ^C when you believe you
|
||||||
have captured enough packets.
|
have captured enough packets.
|
||||||
</para>
|
</para>
|
||||||
<note><title>Note!</title>
|
<note><title>Note!</title>
|
||||||
<para>
|
<para>
|
||||||
tcpdump is not part of the Wireshark distribution. You can get it from:
|
tcpdump is not part of the Wireshark distribution. You can get it from:
|
||||||
<ulink url="&TcpdumpWebsite;">&TcpdumpWebsite;</ulink> for various
|
<ulink url="&TcpdumpWebsite;">&TcpdumpWebsite;</ulink> for various
|
||||||
platforms.
|
platforms.
|
||||||
</para>
|
</para>
|
||||||
</note>
|
</note>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="AppToolsdumpcap">
|
<section id="AppToolsdumpcap">
|
||||||
<title><command>dumpcap</command>: Capturing with dumpcap for viewing
|
<title><command>dumpcap</command>: Capturing with dumpcap for viewing
|
||||||
with Wireshark</title>
|
with Wireshark</title>
|
||||||
<para>
|
<para>
|
||||||
<application>Dumpcap</application> is a network traffic dump tool.
|
<application>Dumpcap</application> is a network traffic dump tool.
|
||||||
It lets you capture packet data from a live network and write the
|
It lets you capture packet data from a live network and write the
|
||||||
packets to a file.
|
packets to a file.
|
||||||
Dumpcap's native capture file format is libpcap format, which is also
|
Dumpcap's native capture file format is libpcap format, which is also
|
||||||
the format used by Wireshark, tcpdump and various other tools.
|
the format used by Wireshark, tcpdump and various other tools.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Without any options set it will use the pcap library to capture traffic
|
Without any options set it will use the pcap library to capture traffic
|
||||||
from the first available network interface and writes the received raw
|
from the first available network interface and writes the received raw
|
||||||
packet data, along with the packets' time stamps into a libpcap file.
|
packet data, along with the packets' time stamps into a libpcap file.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Packet capturing is performed with the pcap library.
|
Packet capturing is performed with the pcap library.
|
||||||
The capture filter syntax follows the rules of the pcap library.
|
The capture filter syntax follows the rules of the pcap library.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
<example id="AppToolsdumpcapEx">
|
<example id="AppToolsdumpcapEx">
|
||||||
<title>Help information available from dumpcap</title>
|
<title>Help information available from dumpcap</title>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
Dumpcap 0.99.0
|
Dumpcap 0.99.0
|
||||||
Capture network packets and dump them into a libpcap file.
|
Capture network packets and dump them into a libpcap file.
|
||||||
See http://www.wireshark.org for more information.
|
See http://www.wireshark.org for more information.
|
||||||
|
@ -117,7 +117,7 @@ Miscellaneous:
|
||||||
Example: dumpcap -i eth0 -a duration:60 -w output.pcap
|
Example: dumpcap -i eth0 -a duration:60 -w output.pcap
|
||||||
"Capture network packets from interface eth0 until 60s passed into output.pcap"
|
"Capture network packets from interface eth0 until 60s passed into output.pcap"
|
||||||
|
|
||||||
Use Ctrl-C to stop capturing at any time.
|
Use Ctrl-C to stop capturing at any time.
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</para>
|
</para>
|
||||||
|
@ -127,14 +127,14 @@ Use Ctrl-C to stop capturing at any time.
|
||||||
<title><command>capinfos</command>: Print information about capture files
|
<title><command>capinfos</command>: Print information about capture files
|
||||||
</title>
|
</title>
|
||||||
<para>
|
<para>
|
||||||
Included with Wireshark is a small utility called
|
Included with Wireshark is a small utility called
|
||||||
<command>capinfos</command>, which is a command-line utility to
|
<command>capinfos</command>, which is a command-line utility to
|
||||||
print information about binary capture files.
|
print information about binary capture files.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
<example id="AppToolscapinfosEx">
|
<example id="AppToolscapinfosEx">
|
||||||
<title>Help information available from capinfos</title>
|
<title>Help information available from capinfos</title>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
$ capinfos -h
|
$ capinfos -h
|
||||||
Usage: capinfos [-t] [-c] [-s] [-d] [-u] [-a] [-e] [-y]
|
Usage: capinfos [-t] [-c] [-s] [-d] [-u] [-a] [-e] [-y]
|
||||||
[-i] [-z] [-h] <capfile>
|
[-i] [-z] [-h] <capfile>
|
||||||
|
@ -151,7 +151,7 @@ Usage: capinfos [-t] [-c] [-s] [-d] [-u] [-a] [-e] [-y]
|
||||||
-z display average packet size (in bytes)
|
-z display average packet size (in bytes)
|
||||||
-h produces this help listing.
|
-h produces this help listing.
|
||||||
|
|
||||||
If no data flags are given, default is to display all statistics
|
If no data flags are given, default is to display all statistics
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</para>
|
</para>
|
||||||
|
@ -160,143 +160,179 @@ Usage: capinfos [-t] [-c] [-s] [-d] [-u] [-a] [-e] [-y]
|
||||||
<section id="AppToolseditcap">
|
<section id="AppToolseditcap">
|
||||||
<title><command>editcap</command>: Edit capture files</title>
|
<title><command>editcap</command>: Edit capture files</title>
|
||||||
<para>
|
<para>
|
||||||
Included with Wireshark is a small utility called
|
Included with Wireshark is a small utility called
|
||||||
<command>editcap</command>, which is a command-line utility for
|
<command>editcap</command>, which is a command-line utility for
|
||||||
working with capture files. Its main function is to remove
|
working with capture files. Its main function is to remove
|
||||||
packets from capture files, but it can also be used to convert
|
packets from capture files, but it can also be used to convert
|
||||||
capture files from one format to another, as well as print
|
capture files from one format to another, as well as print
|
||||||
information about capture files.
|
information about capture files.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
|
||||||
<example id="AppToolseditcapEx">
|
<example id="AppToolseditcapEx">
|
||||||
<title>Help information available from editcap</title>
|
<title>Help information available from editcap</title>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
$ editcap.exe -h
|
$ editcap.exe -h
|
||||||
Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
Editcap 0.99.3
|
||||||
[-F <capture type>]> [-s <snaplen>] [-t <time adjustment>]
|
Edit and/or translate the format of capture files.
|
||||||
<infile> <outfile> [ <record#>[-<record#>] ... ]
|
See http://www.wireshark.org for more information.
|
||||||
where
|
|
||||||
-E <probability> specifies the probability (between 0 and 1)
|
|
||||||
that a particular byte will will have an error.
|
|
||||||
-F <capture type> specifies the capture file type to write:
|
|
||||||
libpcap - libpcap (tcpdump, Wireshark, etc.)
|
|
||||||
rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)
|
|
||||||
suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)
|
|
||||||
modlibpcap - modified libpcap (tcpdump)
|
|
||||||
nokialibpcap - Nokia libpcap (tcpdump)
|
|
||||||
lanalyzer - Novell LANalyzer
|
|
||||||
ngsniffer - Network Associates Sniffer (DOS-based)
|
|
||||||
snoop - Sun snoop
|
|
||||||
netmon1 - Microsoft Network Monitor 1.x
|
|
||||||
netmon2 - Microsoft Network Monitor 2.x
|
|
||||||
ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1
|
|
||||||
ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x
|
|
||||||
nettl - HP-UX nettl trace
|
|
||||||
visual - Visual Networks traffic capture
|
|
||||||
5views - Accellent 5Views capture
|
|
||||||
niobserverv9 - Network Instruments Observer version 9
|
|
||||||
default is libpcap
|
|
||||||
-h produces this help listing.
|
|
||||||
-r specifies that the records specified should be kept, not deleted,
|
|
||||||
default is to delete
|
|
||||||
-s <snaplen> specifies that packets should be truncated to
|
|
||||||
<snaplen> bytes of data
|
|
||||||
-t <time adjustment> specifies the time adjustment
|
|
||||||
to be applied to selected packets
|
|
||||||
-T <encap type> specifies the encapsulation type to use:
|
|
||||||
ether - Ethernet
|
|
||||||
tr - Token Ring
|
|
||||||
slip - SLIP
|
|
||||||
ppp - PPP
|
|
||||||
fddi - FDDI
|
|
||||||
fddi-swapped - FDDI with bit-swapped MAC addresses
|
|
||||||
rawip - Raw IP
|
|
||||||
arcnet - ARCNET
|
|
||||||
arcnet_linux - Linux ARCNET
|
|
||||||
atm-rfc1483 - RFC 1483 ATM
|
|
||||||
linux-atm-clip - Linux ATM CLIP
|
|
||||||
lapb - LAPB
|
|
||||||
atm-pdus - ATM PDUs
|
|
||||||
atm-pdus-untruncated - ATM PDUs - untruncated
|
|
||||||
null - NULL
|
|
||||||
ascend - Lucent/Ascend access equipment
|
|
||||||
isdn - ISDN
|
|
||||||
ip-over-fc - RFC 2625 IP-over-Fibre Channel
|
|
||||||
ppp-with-direction - PPP with Directional Info
|
|
||||||
ieee-802-11 - IEEE 802.11 Wireless LAN
|
|
||||||
prism - IEEE 802.11 plus Prism II monitor mode header
|
|
||||||
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
|
|
||||||
ieee-802-11-radiotap - IEEE 802.11 plus radiotap WLAN header
|
|
||||||
ieee-802-11-avs - IEEE 802.11 plus AVS WLAN header
|
|
||||||
linux-sll - Linux cooked-mode capture
|
|
||||||
frelay - Frame Relay
|
|
||||||
frelay-with-direction - Frame Relay with Directional Info
|
|
||||||
chdlc - Cisco HDLC
|
|
||||||
ios - Cisco IOS internal
|
|
||||||
ltalk - Localtalk
|
|
||||||
pflog-old - OpenBSD PF Firewall logs, pre-3.4
|
|
||||||
hhdlc - HiPath HDLC
|
|
||||||
docsis - Data Over Cable Service Interface Specification
|
|
||||||
cosine - CoSine L2 debug log
|
|
||||||
whdlc - Wellfleet HDLC
|
|
||||||
sdlc - SDLC
|
|
||||||
tzsp - Tazmen sniffer protocol
|
|
||||||
enc - OpenBSD enc(4) encapsulating interface
|
|
||||||
pflog - OpenBSD PF Firewall logs
|
|
||||||
chdlc-with-direction - Cisco HDLC with Directional Info
|
|
||||||
bluetooth-h4 - Bluetooth H4
|
|
||||||
mtp2 - SS7 MTP2
|
|
||||||
mtp3 - SS7 MTP3
|
|
||||||
irda - IrDA
|
|
||||||
user0 - USER 0
|
|
||||||
user1 - USER 1
|
|
||||||
user2 - USER 2
|
|
||||||
user3 - USER 3
|
|
||||||
user4 - USER 4
|
|
||||||
user5 - USER 5
|
|
||||||
user6 - USER 6
|
|
||||||
user7 - USER 7
|
|
||||||
user8 - USER 8
|
|
||||||
user9 - USER 9
|
|
||||||
user10 - USER 10
|
|
||||||
user11 - USER 11
|
|
||||||
user12 - USER 12
|
|
||||||
user13 - USER 13
|
|
||||||
user14 - USER 14
|
|
||||||
user15 - USER 15
|
|
||||||
symantec - Symantec Enterprise Firewall
|
|
||||||
ap1394 - Apple IP-over-IEEE 1394
|
|
||||||
bacnet-ms-tp - BACnet MS/TP
|
|
||||||
raw-icmp-nettl - Raw ICMP with nettl headers
|
|
||||||
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
|
|
||||||
gprs-llc - GPRS LLC
|
|
||||||
juniper-atm1 - Juniper ATM1
|
|
||||||
juniper-atm2 - Juniper ATM2
|
|
||||||
redback - Redback SmartEdge
|
|
||||||
rawip-nettl - Raw IP with nettl headers
|
|
||||||
ether-nettl - Ethernet with nettl headers
|
|
||||||
tr-nettl - Token Ring with nettl headers
|
|
||||||
fddi-nettl - FDDI with nettl headers
|
|
||||||
unknown-nettl - Unknown link-layer type with nettl headers
|
|
||||||
mtp2-with-phdr - MTP2 with pseudoheader
|
|
||||||
juniper-pppoe - Juniper PPPoE
|
|
||||||
gcom-tie1 - GCOM TIE1
|
|
||||||
gcom-serial - GCOM Serial
|
|
||||||
x25-nettl - X25 with nettl headers
|
|
||||||
default is the same as the input file
|
|
||||||
-v specifies verbose operation, default is silent
|
|
||||||
|
|
||||||
A range of records can be specified as well
|
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
|
||||||
</programlisting>
|
|
||||||
|
A single packet or a range of packets can be selected.
|
||||||
|
|
||||||
|
Packets:
|
||||||
|
-C <choplen> chop each packet at the end by <choplen> bytes
|
||||||
|
-d remove duplicate packets
|
||||||
|
-E <error probability> set the probability (between 0.0 and 1.0 incl.)
|
||||||
|
that a particular packet byte will be randomly changed
|
||||||
|
-r keep the selected packets, default is to delete them
|
||||||
|
-s <snaplen> truncate packets to max. <snaplen> bytes of data
|
||||||
|
-t <time adjustment> adjust the timestamp of selected packets,
|
||||||
|
<time adjustment> is in relative seconds (e.g. -0.5)
|
||||||
|
-A <start time> don't output packets whose timestamp is before the
|
||||||
|
given time (format as YYYY-MM-DD hh:mm:ss)
|
||||||
|
-B <stop time> don't output packets whose timestamp is after the
|
||||||
|
given time (format as YYYY-MM-DD hh:mm:ss)
|
||||||
|
|
||||||
|
Output File(s):
|
||||||
|
-c <packets per file> split the packet output to different files,
|
||||||
|
with a maximum of <packets per file> each
|
||||||
|
-F <capture type> set the output file type, default is libpcap
|
||||||
|
an empty "-F" option will list the file types
|
||||||
|
-T <encap type> set the output file encapsulation type,
|
||||||
|
default is the same as the input file
|
||||||
|
an empty "-T" option will list the encapsulation types
|
||||||
|
|
||||||
|
Miscellaneous:
|
||||||
|
-h display this help and exit
|
||||||
|
-v verbose output
|
||||||
|
|
||||||
|
$ editcap.exe -F
|
||||||
|
editcap.exe: option requires an argument -- F
|
||||||
|
editcap.exe: The available capture file types for "F":
|
||||||
|
libpcap - Wireshark/tcpdump/... - libpcap
|
||||||
|
nseclibpcap - Wireshark - nanosecond libpcap
|
||||||
|
modlibpcap - Modified tcpdump - libpcap
|
||||||
|
nokialibpcap - Nokia tcpdump - libpcap
|
||||||
|
rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
|
||||||
|
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
|
||||||
|
5views - Accellent 5Views capture
|
||||||
|
dct2000 - Catapult DCT2000 trace (.out format)
|
||||||
|
nettl - HP-UX nettl trace
|
||||||
|
netmon1 - Microsoft NetMon 1.x
|
||||||
|
netmon2 - Microsoft NetMon 2.x
|
||||||
|
ngsniffer - NA Sniffer (DOS)
|
||||||
|
ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
|
||||||
|
ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
|
||||||
|
niobserverv9 - Network Instruments Observer (V9)
|
||||||
|
lanalyzer - Novell LANalyzer
|
||||||
|
snoop - Sun snoop
|
||||||
|
rf5 - Tektronix K12xx 32-bit .rf5 format
|
||||||
|
visual - Visual Networks traffic capture
|
||||||
|
|
||||||
|
$ editcap.exe -F
|
||||||
|
editcap.exe: option requires an argument -- T
|
||||||
|
editcap.exe: The available encapsulation types for "T":
|
||||||
|
ether - Ethernet
|
||||||
|
tr - Token Ring
|
||||||
|
slip - SLIP
|
||||||
|
ppp - PPP
|
||||||
|
fddi - FDDI
|
||||||
|
fddi-swapped - FDDI with bit-swapped MAC addresses
|
||||||
|
rawip - Raw IP
|
||||||
|
arcnet - ARCNET
|
||||||
|
arcnet_linux - Linux ARCNET
|
||||||
|
atm-rfc1483 - RFC 1483 ATM
|
||||||
|
linux-atm-clip - Linux ATM CLIP
|
||||||
|
lapb - LAPB
|
||||||
|
atm-pdus - ATM PDUs
|
||||||
|
atm-pdus-untruncated - ATM PDUs - untruncated
|
||||||
|
null - NULL
|
||||||
|
ascend - Lucent/Ascend access equipment
|
||||||
|
isdn - ISDN
|
||||||
|
ip-over-fc - RFC 2625 IP-over-Fibre Channel
|
||||||
|
ppp-with-direction - PPP with Directional Info
|
||||||
|
ieee-802-11 - IEEE 802.11 Wireless LAN
|
||||||
|
prism - IEEE 802.11 plus Prism II monitor mode header
|
||||||
|
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
|
||||||
|
ieee-802-11-radiotap - IEEE 802.11 plus radiotap WLAN header
|
||||||
|
ieee-802-11-avs - IEEE 802.11 plus AVS WLAN header
|
||||||
|
linux-sll - Linux cooked-mode capture
|
||||||
|
frelay - Frame Relay
|
||||||
|
frelay-with-direction - Frame Relay with Directional Info
|
||||||
|
chdlc - Cisco HDLC
|
||||||
|
ios - Cisco IOS internal
|
||||||
|
ltalk - Localtalk
|
||||||
|
pflog-old - OpenBSD PF Firewall logs, pre-3.4
|
||||||
|
hhdlc - HiPath HDLC
|
||||||
|
docsis - Data Over Cable Service Interface Specification
|
||||||
|
cosine - CoSine L2 debug log
|
||||||
|
whdlc - Wellfleet HDLC
|
||||||
|
sdlc - SDLC
|
||||||
|
tzsp - Tazmen sniffer protocol
|
||||||
|
enc - OpenBSD enc(4) encapsulating interface
|
||||||
|
pflog - OpenBSD PF Firewall logs
|
||||||
|
chdlc-with-direction - Cisco HDLC with Directional Info
|
||||||
|
bluetooth-h4 - Bluetooth H4
|
||||||
|
mtp2 - SS7 MTP2
|
||||||
|
mtp3 - SS7 MTP3
|
||||||
|
irda - IrDA
|
||||||
|
user0 - USER 0
|
||||||
|
user1 - USER 1
|
||||||
|
user2 - USER 2
|
||||||
|
user3 - USER 3
|
||||||
|
user4 - USER 4
|
||||||
|
user5 - USER 5
|
||||||
|
user6 - USER 6
|
||||||
|
user7 - USER 7
|
||||||
|
user8 - USER 8
|
||||||
|
user9 - USER 9
|
||||||
|
user10 - USER 10
|
||||||
|
user11 - USER 11
|
||||||
|
user12 - USER 12
|
||||||
|
user13 - USER 13
|
||||||
|
user14 - USER 14
|
||||||
|
user15 - USER 15
|
||||||
|
symantec - Symantec Enterprise Firewall
|
||||||
|
ap1394 - Apple IP-over-IEEE 1394
|
||||||
|
bacnet-ms-tp - BACnet MS/TP
|
||||||
|
raw-icmp-nettl - Raw ICMP with nettl headers
|
||||||
|
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
|
||||||
|
gprs-llc - GPRS LLC
|
||||||
|
juniper-atm1 - Juniper ATM1
|
||||||
|
juniper-atm2 - Juniper ATM2
|
||||||
|
redback - Redback SmartEdge
|
||||||
|
rawip-nettl - Raw IP with nettl headers
|
||||||
|
ether-nettl - Ethernet with nettl headers
|
||||||
|
tr-nettl - Token Ring with nettl headers
|
||||||
|
fddi-nettl - FDDI with nettl headers
|
||||||
|
unknown-nettl - Unknown link-layer type with nettl headers
|
||||||
|
mtp2-with-phdr - MTP2 with pseudoheader
|
||||||
|
juniper-pppoe - Juniper PPPoE
|
||||||
|
gcom-tie1 - GCOM TIE1
|
||||||
|
gcom-serial - GCOM Serial
|
||||||
|
x25-nettl - X25 with nettl headers
|
||||||
|
k12 - K12 protocol analyzer
|
||||||
|
juniper-mlppp - Juniper MLPPP
|
||||||
|
juniper-mlfr - Juniper MLFR
|
||||||
|
juniper-ether - Juniper Ethernet
|
||||||
|
juniper-ppp - Juniper PPP
|
||||||
|
juniper-frelay - Juniper Frame-Relay
|
||||||
|
juniper-chdlc - Juniper C-HDLC
|
||||||
|
juniper-ggsn - Juniper GGSN
|
||||||
|
lapd - LAPD
|
||||||
|
dct2000 - Catapult DCT2000
|
||||||
|
ber - ASN.1 Basic Encoding Rules
|
||||||
|
</programlisting>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
Where each option has the following meaning:
|
Where each option has the following meaning:
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry><term><command>-r</command></term>
|
<varlistentry><term><command>-r</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This option specifies that the frames listed should be kept,
|
This option specifies that the frames listed should be kept,
|
||||||
not deleted. The default is to delete the listed frames.
|
not deleted. The default is to delete the listed frames.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -307,7 +343,7 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
<varlistentry><term><command>-v</command></term>
|
<varlistentry><term><command>-v</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This option specifies verbose operation. The default is
|
This option specifies verbose operation. The default is
|
||||||
silent operation.
|
silent operation.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -315,15 +351,15 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
<varlistentry><term><command>-T {encap type}</command></term>
|
<varlistentry><term><command>-T {encap type}</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This option specifies the frame encapsulation type to use.
|
This option specifies the frame encapsulation type to use.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
It is mainly for converting funny captures to something
|
It is mainly for converting funny captures to something
|
||||||
that Wireshark can deal with.
|
that Wireshark can deal with.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The default frame
|
The default frame
|
||||||
encapsulation type is the same as the input encapsulation.
|
encapsulation type is the same as the input encapsulation.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -331,7 +367,7 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
<varlistentry><term><command>-F {capture type}</command></term>
|
<varlistentry><term><command>-F {capture type}</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This option specifies the capture file format to write
|
This option specifies the capture file format to write
|
||||||
the output file in.
|
the output file in.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
@ -356,7 +392,7 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
<varlistentry><term><command>{infile}</command></term>
|
<varlistentry><term><command>{infile}</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This parameter specifies the input file to use. It must be
|
This parameter specifies the input file to use. It must be
|
||||||
present.
|
present.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -364,7 +400,7 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
<varlistentry><term><command>{outfile}</command></term>
|
<varlistentry><term><command>{outfile}</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This parameter specifies the output file to use. It must
|
This parameter specifies the output file to use. It must
|
||||||
be present.
|
be present.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -373,8 +409,8 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
<term><command>[record#[-][record# ...]]</command></term>
|
<term><command>[record#[-][record# ...]]</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
This optional parameter specifies the records to include
|
This optional parameter specifies the records to include
|
||||||
or exclude (depending on the <command>-r</command> option.
|
or exclude (depending on the <command>-r</command> option.
|
||||||
You can specify individual records or a range of records.
|
You can specify individual records or a range of records.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -382,35 +418,35 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="AppToolsmergecap">
|
<section id="AppToolsmergecap">
|
||||||
<title><command>mergecap</command>:
|
<title><command>mergecap</command>:
|
||||||
Merging multiple capture files into one
|
Merging multiple capture files into one
|
||||||
</title>
|
</title>
|
||||||
<para>
|
<para>
|
||||||
Mergecap is a program that combines multiple saved capture files
|
Mergecap is a program that combines multiple saved capture files
|
||||||
into a single output file specified by the -w argument. Mergecap
|
into a single output file specified by the -w argument. Mergecap
|
||||||
knows how to read libpcap capture files, including those of tcpdump.
|
knows how to read libpcap capture files, including those of tcpdump.
|
||||||
In addition, Mergecap can read capture files from snoop (including
|
In addition, Mergecap can read capture files from snoop (including
|
||||||
Shomiti) and atmsnoop, LanAlyzer, Sniffer (compressed or
|
Shomiti) and atmsnoop, LanAlyzer, Sniffer (compressed or
|
||||||
uncompressed), Microsoft Network Monitor, AIX's iptrace, NetXray,
|
uncompressed), Microsoft Network Monitor, AIX's iptrace, NetXray,
|
||||||
Sniffer Pro, RADCOM's WAN/LAN analyzer, Lucent/Ascend router debug
|
Sniffer Pro, RADCOM's WAN/LAN analyzer, Lucent/Ascend router debug
|
||||||
output, HP-UX's nettl, and the dump output from Toshiba's ISDN
|
output, HP-UX's nettl, and the dump output from Toshiba's ISDN
|
||||||
routers. There is no need to tell Mergecap what type of file you are
|
routers. There is no need to tell Mergecap what type of file you are
|
||||||
reading; it will determine the file type by itself. Mergecap is also
|
reading; it will determine the file type by itself. Mergecap is also
|
||||||
capable of reading any of these file formats if they are compressed
|
capable of reading any of these file formats if they are compressed
|
||||||
using gzip. Mergecap recognizes this directly from the file; the '.gz'
|
using gzip. Mergecap recognizes this directly from the file; the '.gz'
|
||||||
extension is not required for this purpose.
|
extension is not required for this purpose.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
By default, it writes the capture file in libpcap format, and writes
|
By default, it writes the capture file in libpcap format, and writes
|
||||||
all of the packets in both input capture files to the output file.
|
all of the packets in both input capture files to the output file.
|
||||||
The -F flag can be used to specify the format in which to write the
|
The -F flag can be used to specify the format in which to write the
|
||||||
capture file; it can write the file in libpcap format (standard
|
capture file; it can write the file in libpcap format (standard
|
||||||
libpcap format, a modified format used by some patched versions of
|
libpcap format, a modified format used by some patched versions of
|
||||||
libpcap, the format used by Red Hat Linux 6.1, or the format used
|
libpcap, the format used by Red Hat Linux 6.1, or the format used
|
||||||
by SuSE Linux 6.3), snoop format, uncompressed Sniffer format,
|
by SuSE Linux 6.3), snoop format, uncompressed Sniffer format,
|
||||||
Microsoft Network Monitor 1.x format, and the format used by
|
Microsoft Network Monitor 1.x format, and the format used by
|
||||||
Windows-based versions of the Sniffer software.
|
Windows-based versions of the Sniffer software.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
@ -426,23 +462,23 @@ Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
|
||||||
input file with more captured data than the specified snapshot length
|
input file with more captured data than the specified snapshot length
|
||||||
will have only the amount of data specified by the snapshot length
|
will have only the amount of data specified by the snapshot length
|
||||||
written to the output file. This may be useful if the program that
|
written to the output file. This may be useful if the program that
|
||||||
is to read the output file cannot handle packets larger than a
|
is to read the output file cannot handle packets larger than a
|
||||||
certain size (for example, the versions of snoop in Solaris 2.5.1 and
|
certain size (for example, the versions of snoop in Solaris 2.5.1 and
|
||||||
Solaris 2.6 appear to reject Ethernet frames larger than the standard
|
Solaris 2.6 appear to reject Ethernet frames larger than the standard
|
||||||
Ethernet MTU, making them incapable of handling gigabit Ethernet
|
Ethernet MTU, making them incapable of handling gigabit Ethernet
|
||||||
captures if jumbo frames were used).
|
captures if jumbo frames were used).
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
If the -T flag is used to specify an encapsulation type, the
|
If the -T flag is used to specify an encapsulation type, the
|
||||||
encapsulation type of the output capture file will be forced to
|
encapsulation type of the output capture file will be forced to
|
||||||
the specified type, rather than being the type appropriate to the
|
the specified type, rather than being the type appropriate to the
|
||||||
encapsulation type of the input capture file. Note that this merely
|
encapsulation type of the input capture file. Note that this merely
|
||||||
forces the encapsulation type of the output file to be the specified
|
forces the encapsulation type of the output file to be the specified
|
||||||
type; the packet headers of the packets will not be translated from the
|
type; the packet headers of the packets will not be translated from the
|
||||||
encapsulation type of the input capture file to the specified
|
encapsulation type of the input capture file to the specified
|
||||||
encapsulation type (for example, it will not translate an Ethernet
|
encapsulation type (for example, it will not translate an Ethernet
|
||||||
capture to an FDDI capture if an Ethernet capture is read
|
capture to an FDDI capture if an Ethernet capture is read
|
||||||
and '-T fddi' is specified).
|
and '-T fddi' is specified).
|
||||||
</para>
|
</para>
|
||||||
<example id="AppToolsmergecapEx">
|
<example id="AppToolsmergecapEx">
|
||||||
|
@ -551,8 +587,8 @@ Usage: mergecap [-hva] [-s <snaplen>] [-T <encap type>]
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry><term><command>-v</command></term>
|
<varlistentry><term><command>-v</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Causes <command>mergecap</command> to print a number of messages
|
Causes <command>mergecap</command> to print a number of messages
|
||||||
while it's working.
|
while it's working.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -562,7 +598,7 @@ Usage: mergecap [-hva] [-s <snaplen>] [-T <encap type>]
|
||||||
<para>
|
<para>
|
||||||
Causes the frame timestamps to be ignored, writing all packets
|
Causes the frame timestamps to be ignored, writing all packets
|
||||||
from the first input file followed by all packets from the second
|
from the first input file followed by all packets from the second
|
||||||
input file. By default, when <command>-a</command> is not
|
input file. By default, when <command>-a</command> is not
|
||||||
specified, the contents
|
specified, the contents
|
||||||
of the input files are merged in chronological order based on
|
of the input files are merged in chronological order based on
|
||||||
each frame's timestamp. Note: when merging, mergecap assumes
|
each frame's timestamp. Note: when merging, mergecap assumes
|
||||||
|
@ -595,38 +631,38 @@ Usage: mergecap [-hva] [-s <snaplen>] [-T <encap type>]
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
<para>
|
<para>
|
||||||
A simple example merging <filename>dhcp-capture.libpcap</filename>
|
A simple example merging <filename>dhcp-capture.libpcap</filename>
|
||||||
and <filename>imap-1.libpcap</filename> into
|
and <filename>imap-1.libpcap</filename> into
|
||||||
<filename>outfile.libpcap</filename> is shown below.
|
<filename>outfile.libpcap</filename> is shown below.
|
||||||
</para>
|
</para>
|
||||||
<example id="AppToolsmergecapExSimple">
|
<example id="AppToolsmergecapExSimple">
|
||||||
<title>Simple example of using mergecap</title>
|
<title>Simple example of using mergecap</title>
|
||||||
<programlisting>$ mergecap -w outfile.libpcap dhcp-capture.libpcap imap-1.libpcap
|
<programlisting>$ mergecap -w outfile.libpcap dhcp-capture.libpcap imap-1.libpcap
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="AppToolstext2pcap" >
|
<section id="AppToolstext2pcap" >
|
||||||
<title><command>text2pcap</command>: Converting ASCII hexdumps to network
|
<title><command>text2pcap</command>: Converting ASCII hexdumps to network
|
||||||
captures
|
captures
|
||||||
</title>
|
</title>
|
||||||
<para>
|
<para>
|
||||||
There may be some occasions when you wish to convert a hex dump of some
|
There may be some occasions when you wish to convert a hex dump of some
|
||||||
network traffic into a libpcap file.</para>
|
network traffic into a libpcap file.</para>
|
||||||
<para>
|
<para>
|
||||||
<command>Text2pcap</command> is a program that reads in an ASCII hex
|
<command>Text2pcap</command> is a program that reads in an ASCII hex
|
||||||
dump and writes the data described into a libpcap-style capture file.
|
dump and writes the data described into a libpcap-style capture file.
|
||||||
text2pcap can read hexdumps with multiple packets in them, and build a
|
text2pcap can read hexdumps with multiple packets in them, and build a
|
||||||
capture file of multiple packets. text2pcap is also capable of
|
capture file of multiple packets. text2pcap is also capable of
|
||||||
generating dummy Ethernet, IP and UDP headers, in order to build fully
|
generating dummy Ethernet, IP and UDP headers, in order to build fully
|
||||||
processable packet dumps from hexdumps of application-level data only.
|
processable packet dumps from hexdumps of application-level data only.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Text2pcap understands a hexdump of the form generated by od -A x -t x1. In
|
Text2pcap understands a hexdump of the form generated by od -A x -t x1. In
|
||||||
other words, each byte is individually displayed and surrounded with a
|
other words, each byte is individually displayed and surrounded with a
|
||||||
space. Each line begins with an offset describing the position in the
|
space. Each line begins with an offset describing the position in the
|
||||||
file. The offset is a hex number (can also be octal - see -o), of
|
file. The offset is a hex number (can also be octal - see -o), of
|
||||||
more than two hex digits. Here is a sample dump that text2pcap can
|
more than two hex digits. Here is a sample dump that text2pcap can
|
||||||
recognize:
|
recognize:
|
||||||
</para>
|
</para>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
|
@ -639,31 +675,31 @@ Usage: mergecap [-hva] [-s <snaplen>] [-T <encap type>]
|
||||||
000030 01 01 0f 19 03 80 11 01 ........
|
000030 01 01 0f 19 03 80 11 01 ........
|
||||||
</programlisting>
|
</programlisting>
|
||||||
<para>
|
<para>
|
||||||
There is no limit on the width or number of bytes per line. Also the
|
There is no limit on the width or number of bytes per line. Also the
|
||||||
text dump at the end of the line is ignored. Bytes/hex numbers can be
|
text dump at the end of the line is ignored. Bytes/hex numbers can be
|
||||||
uppercase or lowercase. Any text before the offset is ignored,
|
uppercase or lowercase. Any text before the offset is ignored,
|
||||||
including email forwarding characters '>'. Any lines of text
|
including email forwarding characters '>'. Any lines of text
|
||||||
between the bytestring lines is ignored. The offsets are used to
|
between the bytestring lines is ignored. The offsets are used to
|
||||||
track the bytes, so offsets must be correct. Any line which has only
|
track the bytes, so offsets must be correct. Any line which has only
|
||||||
bytes without a leading offset is ignored. An offset is recognized
|
bytes without a leading offset is ignored. An offset is recognized
|
||||||
as being a hex number longer than two characters. Any text after the
|
as being a hex number longer than two characters. Any text after the
|
||||||
bytes is ignored (e.g. the character dump). Any hex numbers in this
|
bytes is ignored (e.g. the character dump). Any hex numbers in this
|
||||||
text are also ignored. An offset of zero is indicative of starting a
|
text are also ignored. An offset of zero is indicative of starting a
|
||||||
new packet, so a single text file with a series of hexdumps can be
|
new packet, so a single text file with a series of hexdumps can be
|
||||||
converted into a packet capture with multiple packets. Multiple
|
converted into a packet capture with multiple packets. Multiple
|
||||||
packets are read in with timestamps differing by one second each.
|
packets are read in with timestamps differing by one second each.
|
||||||
In general, short of these restrictions, text2pcap is pretty liberal
|
In general, short of these restrictions, text2pcap is pretty liberal
|
||||||
about reading in hexdumps and has been tested with a variety of mangled
|
about reading in hexdumps and has been tested with a variety of mangled
|
||||||
outputs (including being forwarded through email multiple times,
|
outputs (including being forwarded through email multiple times,
|
||||||
with limited line wrap etc.)
|
with limited line wrap etc.)
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
There are a couple of other special features to note. Any line where
|
There are a couple of other special features to note. Any line where
|
||||||
the first non-whitespace character is '#' will be ignored as a
|
the first non-whitespace character is '#' will be ignored as a
|
||||||
comment. Any line beginning with #TEXT2PCAP is a directive and options
|
comment. Any line beginning with #TEXT2PCAP is a directive and options
|
||||||
can be inserted after this command to be processed by text2pcap.
|
can be inserted after this command to be processed by text2pcap.
|
||||||
Currently there are no directives implemented; in the future, these
|
Currently there are no directives implemented; in the future, these
|
||||||
may be used to give more fine grained control on the dump and the
|
may be used to give more fine grained control on the dump and the
|
||||||
way it should be processed e.g. timestamps, encapsulation type etc.
|
way it should be processed e.g. timestamps, encapsulation type etc.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
|
@ -731,8 +767,8 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
<varlistentry><term><command>-w <filename></command></term>
|
<varlistentry><term><command>-w <filename></command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Write the capture file generated by <command>text2pcap</command>
|
Write the capture file generated by <command>text2pcap</command>
|
||||||
to <filename>. The default is to write to standard
|
to <filename>. The default is to write to standard
|
||||||
output.
|
output.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -745,7 +781,7 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
<varlistentry><term><command>-d</command></term>
|
<varlistentry><term><command>-d</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Displays debugging information during the process. Can be
|
Displays debugging information during the process. Can be
|
||||||
used multiple times to generate more debugging information.
|
used multiple times to generate more debugging information.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -764,19 +800,19 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry><term><command>-l</command></term>
|
<varlistentry><term><command>-l</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Specify the link-layer type of this packet. Default is
|
Specify the link-layer type of this packet. Default is
|
||||||
Ethernet(1). See net/bpf.h for the complete list of possible
|
Ethernet(1). See net/bpf.h for the complete list of possible
|
||||||
encapsulations. Note that this option should be used if your
|
encapsulations. Note that this option should be used if your
|
||||||
dump is a complete hex dump of an encapsulated packet and you
|
dump is a complete hex dump of an encapsulated packet and you
|
||||||
wish to specify the exact type of encapsulation. Example: -l 7
|
wish to specify the exact type of encapsulation. Example: -l 7
|
||||||
for ARCNet packets.
|
for ARCNet packets.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry><term><command>-e l3pid</command></term>
|
<varlistentry><term><command>-e l3pid</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Include a dummy Ethernet header before each packet. Specify the
|
Include a dummy Ethernet header before each packet. Specify the
|
||||||
L3PID for the Ethernet header in hex. Use this option if your
|
L3PID for the Ethernet header in hex. Use this option if your
|
||||||
dump has Layer 3 header and payload (e.g. IP header), but no
|
dump has Layer 3 header and payload (e.g. IP header), but no
|
||||||
|
@ -795,42 +831,42 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
<varlistentry><term><command>-u srcport destport</command></term>
|
<varlistentry><term><command>-u srcport destport</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Include dummy UDP headers before each packet. Specify the
|
Include dummy UDP headers before each packet. Specify the
|
||||||
source and destination UDP ports for the packet in decimal.
|
source and destination UDP ports for the packet in decimal.
|
||||||
Use this option if your dump is the UDP payload of a packet but
|
Use this option if your dump is the UDP payload of a packet but
|
||||||
does not include any UDP, IP or Ethernet headers. Note that this
|
does not include any UDP, IP or Ethernet headers. Note that this
|
||||||
automatically includes appropriate Ethernet and IP headers with
|
automatically includes appropriate Ethernet and IP headers with
|
||||||
each packet. Example: -u 1000 69 to make the packets look like
|
each packet. Example: -u 1000 69 to make the packets look like
|
||||||
TFTP/UDP packets.
|
TFTP/UDP packets.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="AppToolsidl2wrs" >
|
<section id="AppToolsidl2wrs" >
|
||||||
<title><command>idl2wrs</command>:
|
<title><command>idl2wrs</command>:
|
||||||
Creating dissectors from CORBA IDL files
|
Creating dissectors from CORBA IDL files
|
||||||
</title>
|
</title>
|
||||||
<para>
|
<para>
|
||||||
In an ideal world idl2wrs would be mentioned in the users guide
|
In an ideal world idl2wrs would be mentioned in the users guide
|
||||||
in passing and documented in the developers guide. As the
|
in passing and documented in the developers guide. As the
|
||||||
developers guide
|
developers guide
|
||||||
has not yet been completed it will be documented here.
|
has not yet been completed it will be documented here.
|
||||||
</para>
|
</para>
|
||||||
<section>
|
<section>
|
||||||
<title>What is it?</title>
|
<title>What is it?</title>
|
||||||
<para>
|
<para>
|
||||||
As you have probably guessed from the name,
|
As you have probably guessed from the name,
|
||||||
<command>idl2wrs</command> takes a
|
<command>idl2wrs</command> takes a
|
||||||
user specified IDL file and attempts to build a dissector that
|
user specified IDL file and attempts to build a dissector that
|
||||||
can decode the IDL traffic over GIOP. The resulting file is
|
can decode the IDL traffic over GIOP. The resulting file is
|
||||||
"C" code, that should compile okay as a Wireshark dissector.
|
"C" code, that should compile okay as a Wireshark dissector.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
<command>idl2wrs</command> basically parses the data struct given to
|
<command>idl2wrs</command> basically parses the data struct given to
|
||||||
it by the omniidl compiler, and using the GIOP API available in
|
it by the omniidl compiler, and using the GIOP API available in
|
||||||
packet-giop.[ch], generates get_CDR_xxx calls to decode the
|
packet-giop.[ch], generates get_CDR_xxx calls to decode the
|
||||||
CORBA traffic on the wire.
|
CORBA traffic on the wire.
|
||||||
</para>
|
</para>
|
||||||
<para>It consists of 4 main files.</para>
|
<para>It consists of 4 main files.</para>
|
||||||
|
@ -888,12 +924,12 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
<title>Prerequisites to using idl2wrs</title>
|
<title>Prerequisites to using idl2wrs</title>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Python must be installed. See
|
Python must be installed. See
|
||||||
<ulink url="http://python.org/"/>
|
<ulink url="http://python.org/"/>
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
omniidl from the the omniORB package must be available. See
|
omniidl from the the omniORB package must be available. See
|
||||||
<ulink url="http://omniorb.sourceforge.net/"/>
|
<ulink url="http://omniorb.sourceforge.net/"/>
|
||||||
</para>
|
</para>
|
||||||
|
@ -901,18 +937,18 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Of course you need Wireshark installed to compile the
|
Of course you need Wireshark installed to compile the
|
||||||
code and tweak it if required. idl2wrs is part of the
|
code and tweak it if required. idl2wrs is part of the
|
||||||
standard Wireshark distribution
|
standard Wireshark distribution
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
<para>
|
<para>
|
||||||
To use idl2wrs to generate an Wireshark dissector from an idl file
|
To use idl2wrs to generate an Wireshark dissector from an idl file
|
||||||
use the following procedure:
|
use the following procedure:
|
||||||
</para>
|
</para>
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<title>
|
<title>
|
||||||
Procedure for converting a CORBA idl file into a Wireshark
|
Procedure for converting a CORBA idl file into a Wireshark
|
||||||
dissector
|
dissector
|
||||||
</title>
|
</title>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -926,7 +962,7 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
<para>
|
<para>
|
||||||
To write to a file, just redirect the output.
|
To write to a file, just redirect the output.
|
||||||
<programlisting>idl2wrs echo.idl > packet-test-idl.c</programlisting>
|
<programlisting>idl2wrs echo.idl > packet-test-idl.c</programlisting>
|
||||||
You may wish to comment out the register_giop_user_module() code
|
You may wish to comment out the register_giop_user_module() code
|
||||||
and that will leave you with heuristic dissection.
|
and that will leave you with heuristic dissection.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -952,7 +988,7 @@ where <input-filename> specifies input filename (use - for standard input)
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Copy the resulting C code to your Wireshark src directory,
|
Copy the resulting C code to your Wireshark src directory,
|
||||||
edit the two make files to include the packet-test-idl.c
|
edit the two make files to include the packet-test-idl.c
|
||||||
<programlisting>
|
<programlisting>
|
||||||
cp packet-test-idl.c /dir/where/wireshark/lives/
|
cp packet-test-idl.c /dir/where/wireshark/lives/
|
||||||
|
@ -984,8 +1020,8 @@ edit Makefile.nmake
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Enums not converted to symbolic values (yet), but can be added
|
Enums not converted to symbolic values (yet), but can be added
|
||||||
manually.
|
manually.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -1006,18 +1042,18 @@ edit Makefile.nmake
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The "-p ./" option passed to omniidl indicates that the
|
The "-p ./" option passed to omniidl indicates that the
|
||||||
wireshark_be.py and wireshark_gen.py are residing in the
|
wireshark_be.py and wireshark_gen.py are residing in the
|
||||||
current directory. This may need
|
current directory. This may need
|
||||||
tweaking if you place these files somewhere else.
|
tweaking if you place these files somewhere else.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
If it complains about being unable to find some modules
|
If it complains about being unable to find some modules
|
||||||
(eg tempfile.py),
|
(eg tempfile.py),
|
||||||
you may want to check if PYTHONPATH is set correctly.
|
you may want to check if PYTHONPATH is set correctly.
|
||||||
On my Linux box, it is PYTHONPATH=/usr/lib/python1.5/
|
On my Linux box, it is PYTHONPATH=/usr/lib/python1.5/
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
85
editcap.c
85
editcap.c
|
@ -48,6 +48,8 @@
|
||||||
# include "strptime.h"
|
# include "strptime.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include "epan/crypt-md5.h"
|
||||||
|
|
||||||
#include "svnversion.h"
|
#include "svnversion.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -61,6 +63,19 @@ struct select_item {
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Duplicate frame detection
|
||||||
|
*/
|
||||||
|
typedef struct _fd_hash_t {
|
||||||
|
md5_byte_t digest[16];
|
||||||
|
guint32 len;
|
||||||
|
} fd_hash_t;
|
||||||
|
|
||||||
|
#define DUP_DEPTH 5
|
||||||
|
fd_hash_t fd_hash[DUP_DEPTH];
|
||||||
|
int cur_dup = 0;
|
||||||
|
|
||||||
#define ONE_MILLION 1000000
|
#define ONE_MILLION 1000000
|
||||||
|
|
||||||
/* Weights of different errors we can introduce */
|
/* Weights of different errors we can introduce */
|
||||||
|
@ -93,6 +108,7 @@ static double err_prob = 0.0;
|
||||||
static time_t starttime = 0;
|
static time_t starttime = 0;
|
||||||
static time_t stoptime = 0;
|
static time_t stoptime = 0;
|
||||||
static gboolean check_startstop = FALSE;
|
static gboolean check_startstop = FALSE;
|
||||||
|
static gboolean dup_detect = FALSE;
|
||||||
|
|
||||||
/* Add a selection item, a simple parser for now */
|
/* Add a selection item, a simple parser for now */
|
||||||
|
|
||||||
|
@ -228,6 +244,36 @@ set_time_adjustment(char *optarg)
|
||||||
time_adj.tv.tv_usec = val;
|
time_adj.tv.tv_usec = val;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static gboolean
|
||||||
|
is_duplicate(guint8* fd, guint32 len) {
|
||||||
|
int i;
|
||||||
|
md5_state_t ms;
|
||||||
|
|
||||||
|
cur_dup++;
|
||||||
|
if (cur_dup >= DUP_DEPTH)
|
||||||
|
cur_dup = 0;
|
||||||
|
|
||||||
|
/* Calculate our digest */
|
||||||
|
md5_init(&ms);
|
||||||
|
md5_append(&ms, fd, len);
|
||||||
|
md5_finish(&ms, fd_hash[cur_dup].digest);
|
||||||
|
|
||||||
|
fd_hash[cur_dup].len = len;
|
||||||
|
|
||||||
|
/* Look for duplicates */
|
||||||
|
for (i = 0; i < DUP_DEPTH; i++) {
|
||||||
|
if (i == cur_dup)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (fd_hash[i].len == fd_hash[cur_dup].len &&
|
||||||
|
memcmp(fd_hash[i].digest, fd_hash[cur_dup].digest, 16) == 0) {
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
static void usage(void)
|
static void usage(void)
|
||||||
{
|
{
|
||||||
fprintf(stderr, "Editcap %s"
|
fprintf(stderr, "Editcap %s"
|
||||||
|
@ -244,6 +290,7 @@ static void usage(void)
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
fprintf(stderr, "Packets:\n");
|
fprintf(stderr, "Packets:\n");
|
||||||
fprintf(stderr, " -C <choplen> chop each packet at the end by <choplen> bytes\n");
|
fprintf(stderr, " -C <choplen> chop each packet at the end by <choplen> bytes\n");
|
||||||
|
fprintf(stderr, " -d remove duplicate packets\n");
|
||||||
fprintf(stderr, " -E <error probability> set the probability (between 0.0 and 1.0 incl.)\n");
|
fprintf(stderr, " -E <error probability> set the probability (between 0.0 and 1.0 incl.)\n");
|
||||||
fprintf(stderr, " that a particular packet byte will be randomly changed\n");
|
fprintf(stderr, " that a particular packet byte will be randomly changed\n");
|
||||||
fprintf(stderr, " -r keep the selected packets, default is to delete them\n");
|
fprintf(stderr, " -r keep the selected packets, default is to delete them\n");
|
||||||
|
@ -319,7 +366,7 @@ int main(int argc, char *argv[])
|
||||||
|
|
||||||
/* Process the options first */
|
/* Process the options first */
|
||||||
|
|
||||||
while ((opt = getopt(argc, argv, "A:B:c:C:E:F:hrs:t:T:v")) !=-1) {
|
while ((opt = getopt(argc, argv, "A:B:c:C:dE:F:hrs:t:T:v")) !=-1) {
|
||||||
|
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
|
|
||||||
|
@ -366,6 +413,14 @@ int main(int argc, char *argv[])
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case 'd':
|
||||||
|
dup_detect = TRUE;
|
||||||
|
for (i = 0; i < DUP_DEPTH; i++) {
|
||||||
|
memset(&fd_hash[i].digest, 0, 16);
|
||||||
|
fd_hash[i].len = 0;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
case '?': /* Bad options if GNU getopt */
|
case '?': /* Bad options if GNU getopt */
|
||||||
switch(optopt) {
|
switch(optopt) {
|
||||||
case'F':
|
case'F':
|
||||||
|
@ -427,11 +482,11 @@ int main(int argc, char *argv[])
|
||||||
optarg);
|
optarg);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
check_startstop = TRUE;
|
check_startstop = TRUE;
|
||||||
starttime = mktime(&starttm);
|
starttime = mktime(&starttm);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case 'B':
|
case 'B':
|
||||||
{
|
{
|
||||||
struct tm stoptm;
|
struct tm stoptm;
|
||||||
|
@ -450,7 +505,7 @@ int main(int argc, char *argv[])
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef DEBUG
|
#ifdef DEBUG
|
||||||
printf("Optind = %i, argc = %i\n", optind, argc);
|
printf("Optind = %i, argc = %i\n", optind, argc);
|
||||||
#endif
|
#endif
|
||||||
|
@ -469,15 +524,15 @@ int main(int argc, char *argv[])
|
||||||
stoptm.tm_year = 135;
|
stoptm.tm_year = 135;
|
||||||
stoptm.tm_mday = 31;
|
stoptm.tm_mday = 31;
|
||||||
stoptm.tm_mon = 11;
|
stoptm.tm_mon = 11;
|
||||||
|
|
||||||
stoptime = mktime(&stoptm);
|
stoptime = mktime(&stoptm);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (starttime > stoptime) {
|
if (starttime > stoptime) {
|
||||||
fprintf(stderr, "editcap: start time is after the stop time\n");
|
fprintf(stderr, "editcap: start time is after the stop time\n");
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
wth = wtap_open_offline(argv[optind], &err, &err_info, FALSE);
|
wth = wtap_open_offline(argv[optind], &err, &err_info, FALSE);
|
||||||
|
|
||||||
if (!wth) {
|
if (!wth) {
|
||||||
|
@ -522,7 +577,7 @@ int main(int argc, char *argv[])
|
||||||
} else {
|
} else {
|
||||||
filename = argv[optind+1];
|
filename = argv[optind+1];
|
||||||
}
|
}
|
||||||
|
|
||||||
pdh = wtap_dump_open(filename, out_file_type,
|
pdh = wtap_dump_open(filename, out_file_type,
|
||||||
out_frame_type, wtap_snapshot_length(wth), FALSE /* compressed */, &err);
|
out_frame_type, wtap_snapshot_length(wth), FALSE /* compressed */, &err);
|
||||||
if (pdh == NULL) {
|
if (pdh == NULL) {
|
||||||
|
@ -555,11 +610,11 @@ int main(int argc, char *argv[])
|
||||||
pdh = wtap_dump_open(filename, out_file_type,
|
pdh = wtap_dump_open(filename, out_file_type,
|
||||||
out_frame_type, wtap_snapshot_length(wth), FALSE /* compressed */, &err);
|
out_frame_type, wtap_snapshot_length(wth), FALSE /* compressed */, &err);
|
||||||
if (pdh == NULL) {
|
if (pdh == NULL) {
|
||||||
|
|
||||||
fprintf(stderr, "editcap: Can't open or create %s: %s\n", filename,
|
fprintf(stderr, "editcap: Can't open or create %s: %s\n", filename,
|
||||||
wtap_strerror(err));
|
wtap_strerror(err));
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -619,6 +674,16 @@ int main(int argc, char *argv[])
|
||||||
phdr = &snap_phdr;
|
phdr = &snap_phdr;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (dup_detect) {
|
||||||
|
buf = wtap_buf_ptr(wth);
|
||||||
|
if (is_duplicate(buf, phdr->caplen)) {
|
||||||
|
if (verbose)
|
||||||
|
printf("Skipping duplicate: %u\n", count);
|
||||||
|
count++;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (err_prob > 0.0) {
|
if (err_prob > 0.0) {
|
||||||
buf = wtap_buf_ptr(wth);
|
buf = wtap_buf_ptr(wth);
|
||||||
for (i = 0; i < (int) phdr->caplen; i++) {
|
for (i = 0; i < (int) phdr->caplen; i++) {
|
||||||
|
|
Loading…
Reference in New Issue